Le correctif

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

Privileged Access Management (PAM)

Issue 1

Some group memberships may not be removed by the MIM component service after the PAM request expiration period. This hotfix addresses removal of expired group memberships.

Note If you use PAM, this is an important update and should be installed in all environments.

Issue 2

A PAM user has their NetBIOS domain name saved in the Service Database and the PAM user can log on to the Portal.

Issue 3

MIM Monitor errors occur when you use the NetBIOS name for source groups.

Issue 4

The New-PAMGroup and New-PAMUser cmdlets do not accept the fully qualified domain name (FQDN) of the domain.

MIM add-ins and extensions

Issue 1

The Approval buttons in the Outlook Add-in disappear in some UI interactions.

Issue 2

You receive an "Installation prerequisites not met" error message if you try to install the MIM Add-in for Outlook on a computer that has Outlook 2016 installed.

MIM Certificate Management

Issue 1

The Profile Template Settings Report displays incorrect information. It shows that PIN Rollover is enabled and that the Admin PIN initial value is set even if this is not true. Also if the Diversify Admin Key setting is enabled, it is not displayed in the Profile Template Settings Report.

Events can be viewed in the Microsoft\IdentityManagement\CertificateManagement\Admin log. By default, CA modules also write messages to the system folder %temp% (usually C:\Windows\TEMP). To change the log file location, specify the new path of the file in the registry. Make sure that the directory exists and is writable by the CA.

How to change logs location

Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\Configuration in the registry.

String name: Microsoft.Clm.PolicyModulePlugins Value data: The Value data can be one of the following values: Verbose|Info|Warning|Error

Note Unless key is defined, default value is Info. After the Trace Switch is changed, restart the CA.

Issue 4

The "Support for non-FIM CM certificates requests" plug-in doesn't create profiles for external certificates that were created outside the MIM CM.

Issue 5

Certificate enrollment fails when the system uses the German locale.

MIM Synchronization Service

Issue 1

An export-only file-based ECMA2 connector could not export deleted objects.

Issue 2

The msDS-UserPasswordExpiryTimeComputed attribute is displayed as an available attribute in the Select Attributes tab of the Active Directory Domain Services (AD DS) management agent. The msDS-UserPasswordExpiryTimeComputed is a computed attribute in AD DS and is not detected by the import operation. As of this update, the attribute is removed from the list of available attributes in the management agent.

Issue 3

Sometimes during the "Import Server Configuration" stage in the MIM synchronization service (MIISClient), the Import Server Configuration dialog box hangs.

Issue 4

Running more than one run profile with a synchronization task at the same time may cause data corruption.

Issue 8

This update adds a new cmdlet Add-MIISADMARunProfileStep.

Note It adds run profile step "Full import" assigned to partition 'DC=CONTOSO,DC=COM' to the run profile with name 'ADMA_FULLIMPORT' of the management agent AD_MA. If a run profile with this name doesn’t exist, it will be created. The management agent should already exist.

Possible values of the StepType parameter (short form or long one can be used):

Issue 9

MmsScrpt.exe crashes because of the binary having an invalid entry point. The most common error displayed is "Access violation."

Issue 10

The Import-MIISServerConfig PowerShell cmdlet does not allow for skipping the Management Agent during configuration import.

MIM Portal

Issue 1

This update enables customizations that have controls shown and hidden based on the state of the email enabling check box.

An additional attribute to RCDC’s configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, it should contain a comma-separated (case-sensitive) list of controls to show or hide.

Issue 3

All supported languages and cultures are localized correctly as some were reported to be localized incorrectly for some culture-specific localization settings.

Issue 4

The Portal does not verify the content of uploaded image files. However, the Portal can check the content of an image. To enable this verification, User Creation and User Editing RCDC have to be changed by adding the Property option to the UocFileUpload type as in the following example:

<my:Property my:Name="ValidateImage" my:Value="true"/

MIM Service

Issue 1

During the 4.3.2064.0 hotfix installation, the database upgrade fails if the FIM Service database name is not the default name of FIMService.

Issue 2

Deadlocks may occur during a request evaluation if a complex Set schema is implemented.